You know I used to really like W3AF but for the last year or 2 I have had tons of stability issues and it always seems to crash right after it found something useful. When it works, it's beautiful, but ...

I will agree with MaXe about the manual method. This way you can control what you do to the site/app. Any of the automated scanners have the possibility of sending more traffic than expected and that could cause some headaches. Even when using Nessus with Safe scans enabled, they warn that it could still have unintended results and should be done off hours.

I've made w3af crash just running a full audit against a single VM on the same host. Then again I also found later I forgot to dial back the RAM on my guests after removing some bad physical RAM DIMMs. I'm sure neither was related :p

Thanks for the input. I realized after my original post that nearly all injection tests are going to result in database garbage unless I can specifically exclude any forms that I know stores the input in a database and then test those forms manually. Then I can end up with a handful of trash entries instead of 100's.

Right now, we have nessus and will be using it's limited web app scanning features. I've used w3af before but have had stability issues as well, or differing results depending on if I ran it in Windows or Linux. Burp is on our list to buy in the near future, but won't go through until after this is done.

Since we're going to be coming back to these apps later for more thorough testing, I may just have to limit this engagement to discovery. That sucks, but I also don't want to lose my job

Nessus, Nikto, and maybe Burp (not pro) seem like they might be all I'll get around to using this time. Sound like a half-way decent plan?

Don't you have any test/dev systems available? You might want to start there if you don't. Even the best tools could cause fluke problems. If a production problem would be that detrimental, you should try avoiding that situation entirely.

Cool thing to do is if you have an ESX server you can P2V your web server environment and run your tests that way. You can then record the results and at that point implement fixes to see what if anything breaks. ESXi is free and the Conversion tool is also free. The beauty of this is that you can run the conversion hot.

since the system is live I would not use any tools I would maybe do code review and see if you doing anything bad as well making sure that there is no low hanging fruit is the database username admin is it using a weak password? is there anywhere in the code that use dangerous function like include are their better ways to do this? do you have files on the system locked down or can i get to your admin page easy ?do you have a strong password policy ?do you have stupid comments that say username:admin password : password or version number ?do you have robots.txt does this tell me interesting directories ?

Using Burp or ZAP you can exclude the paths you don't want to test. I've never tried to exclude specific forms that weren't referenced as a unique URL. This is pretty important since you don't want to cram input into the deleteUser page...

I never thought of the P2V thing. That's actually a pretty good idea. I doubt I will be able to use that technique for this engagement because of server locations and the parties I would have to involve to get that done, but I'm definitely going to remember that for next time.

I actually just got word that there will be some dev systems available to test. My plan now is to do any intrusive scans on those systems first, do discovery scans on the live systems, and then use the results from dev to manually verify those vulnerabilities on the live systems. Right now I'm being told that these are just going to be preliminary scans. I'll just be grabbing the low hanging fruit and then coming back later to do a comprehensive test.

The nature of these web applications makes it nearly impossible to test much without filling up the database with crap(forms, forms, and more forms), but now that I have the dev systems open to me, I should be able to get a lot more out of it.

eyenit0 wrote:Good point. I'll be sure to check on that!I'd have a heart attack if I found that out after...

^^ Yep... Sometimes surprising what developers will forget to mention, and would hate for you to find out the hard way. That never helps justify security budgets for the future, if it causes issues, so better to find it in advance!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'